One Community Health is telling patients that a recent data scare started outside its walls, not inside its own computer systems. The Sacramento nonprofit says a third-party vendor is to blame, even as it faces a lawsuit from a patient who claims sensitive medical and personal information was exposed. The back-and-forth is a reminder of how problems with vendors can spill into neighborhood clinics and quickly draw regulators and attorneys into the mix.
One Community Health’s Response
In an update posted on its website, One Community Health said the incident was traced to TriZetto Provider Solutions, a subcontractor used by its electronic health record partner OCHIN, and that its own internal networks were not accessed. According to the notice, TriZetto detected suspicious activity on October 2, 2025 and then supplied lists of potentially affected patients so the clinic could begin sending notifications and offering identity protection services. One Community Health also reported the incident to the California Attorney General’s office and the U.S. Department of Health and Human Services.
How The Vendor Breach Unfolded
TriZetto’s investigation, which involved outside cybersecurity experts, found that an unauthorized actor accessed historical eligibility transaction reports beginning in November 2024 and continuing until October 2, 2025, according to HIPAA Journal. Industry reporting and notices from clinics caught up in the same incident indicate the exposed records can include names, dates of birth, Social Security numbers and health insurance identifiers. The State of California’s breach-notification repository lists November 1, 2024 as the start date tied specifically to One Community Health’s filing, per the California Attorney General.
Legal Fallout And The Lawsuit
A Sacramento patient identified in court papers as Scott Carucci filed a complaint in mid-January alleging that One Community Health, which is legally known as Cares Community Health, failed to adequately protect patient information and is seeking class-action status, as reported by HealthExec. The lawsuit argues that records were shared with TriZetto without sufficient encryption and claims stronger oversight of the vendor could have prevented the exposure. One Community Health says it is working with OCHIN and TriZetto while also continuing its own internal security reviews.
What Patients Should Know And What Comes Next
TriZetto is offering complimentary credit monitoring, fraud consultation and identity restoration services through Kroll for affected patients, according to One Community Health. Separate enrollment instructions were to be mailed directly to those whose information may have been involved. Patients are also reminded that they can file complaints with the U.S. Department of Health and Human Services Office for Civil Rights and can place fraud alerts or credit freezes with the major credit bureaus.
The clinic says its internal checks have found no evidence that One Community Health’s own systems were breached and that it is coordinating outreach with OCHIN and TriZetto…